Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
RPC Server Unavailable. Group Policy Updates Fail/Extended Login Times

Answered RPC Server Unavailable. Group Policy Updates Fail/Extended Login Times

  • Tuesday, February 12, 2013 7:58 PM
     
     
    Sign In to Vote
    0

    Over the weekend we lost power at the facility for quite a few hours and this caused the server to shutdown unexpectedly as the UPS that was here before I arrived was unable to handle the load. (currently looking at upgrading the UPS as I'm not sure the current one is even good enough for what its handling right now) Anyways on Monday morning I am bombarded with e-mails and text messages about how its taking forever to login - they indicate it is just hanging at the welcome screen. I say let it run for like 10 minutes and let me know if it logs in. Everyone indicates they eventually got logged in. I RDC to the server to check the event logs and I am greeted with the system shutdown unexpectedly please indicate why. After this I check the event viewer I don't notice anything to abnormal a couple of things jumped out though.

    "The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial
    synchronization of the directory has been completed. The DNS server service cannot start until
    the initial synchronization is complete because critical DNS data might not yet be replicated onto
    this domain controller. If events in the AD DS event log indicate that there is a problem with DNS
    name resolution, consider adding the IP address of another DNS server for this domain to the DNS server
    list in the Internet Protocol properties of this computer. This event will be logged every two minutes
    until AD DS has signaled that the initial synchronization has successfully completed."

    I read up on this error message and tried some of the fixes. The fix that appeared to resolve it was starting DNS manually as I did not get that error when I did that.

    After this i restart my computer try to login - hangs at welcome screen. I decide to go into group policy and change the setting to verbose login message so i can better see whats going on on the screen.

    I run a gpupdate /force on my machine and I get this error message:

    User policy could not be updated successfully. The following errors were encountered:

    The processing of Group Policy failed. Windows could not resolve the user name.
    This could be caused by one of more of the following:
    a) Name Resolution failure on the current domain controller.
    b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
    Computer policy could not be updated successfully. The following errors were encountered:

    The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
    a) Name Resolution failure on the current domain controller.
    b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

    To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

    When I try the gpresult I get the same message.

    Everything server side works fine and the firewall successfully can communicate with AD using LDAP. I am not sure where the issue is. DNS appears to be functioning correctly as well as I can ping hostnames inside the network and get a result, as well as I can ping host names from the DNS server and get a result.

    The couple of things that do not work are no one can get a license for the design software, which has the FlexLM software running on the server, group policy can not be updated on any machine with the same error message, and everyone takes like 10 minutes to login. I tried disjoining my computer from the domain and rejoining it - everything went successfully and I was able to log in - it still took 10 minutes though, I was also able to log into this computer using a new account that have never been logged into before.

    Background on the environment. one domain, one server which acts as the DNS server, DHCP sever, DC, GCS... etc. The server also has the exchange server 2013 preview installed on it. Everything was working fine until the power outage with a couple of issues here and there that had to be resolved but nothing that resulted in loss of productivity - just things that should be taken care of but could wait until I was able to upgrade the network infrastructure like the PDC not using a windows time server.

    Any ideas would be greatly appreciated? Still researching this one out.


     

All Replies

  • Tuesday, February 12, 2013 9:31 PM
     
     
    Sign In to Vote
    0

    I also get this error message as well.

    The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication WMI method to resume replication

    Currently trying the MS fix - doing a backup of everything first just in case.

     
  • Wednesday, February 13, 2013 1:39 AM
     
     
    Sign In to Vote
    1

    Ran a dcdiag. here are some snippets that include errors.

    A warning event occurred.  EventID: 0x00001695
    Time Generated: 02/12/2013   19:30:19
    Event String:
    Dynamic registration or deletion of one or more DNS records associated with DNS domain '*******.' failed.
    These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain)
    or as an LDAP server (if the specified domain is an application partition).

    Possible causes of failure include:
       - TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers
       - Specified preferred and alternate DNS servers are not running
       - DNS server(s) primary for the records to be registered is not running
       - Preferred or alternate DNS servers are configured with wrong root hints
       - Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration

    USER ACTION
    Fix possible misconfiguration(s) specified above and initiate registration or deletion of the DNS records by
    running 'nltest.exe /dsregdns' from the command prompt on the domain controller or by restarting Net Logon service on the domain controller.

    Doing initial required tests

       Testing server: Default-First-Site-Name\DC1
          Starting test: Connectivity
             * Active Directory LDAP Services Check
             Determining IP4 connectivity
             * Active Directory RPC Services Check
             ......................... DC1 passed test Connectivity

    Doing primary tests

       Testing server: Default-First-Site-Name\DC1
          Starting test: Advertising
             The DC DC1 is advertising itself as a DC and having a DS.
             The DC DC1 is advertising as an LDAP server
             The DC DC1 is advertising as having a writeable directory
             The DC DC1 is advertising as a Key Distribution Center
             The DC DC1 is advertising as a time server
             The DS DC1 is advertising as a GC.
             ......................... DC1 passed test Advertising
          Test omitted by user request: CheckSecurityError
          Test omitted by user request: CutoffServers
          Starting test: FrsEvent
             * The File Replication Service Event log test
             Skip the test because the server is running DFSR.
             ......................... DC1 passed test FrsEvent
          Starting test: DFSREvent
             The DFS Replication Event Log.
             There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL
             replication problems may cause Group Policy problems.
             A warning event occurred.  EventID: 0x800008A5
                Time Generated: 02/12/2013   12:23:32
                Event String:
                The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database is not sh
    ut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folde
    rs, and then use the ResumeReplication WMI method to resume replication.

                Additional Information:
                Volume: C:
                GUID: ************************

                Recovery Steps
                1. Back up the files in all replicated folders on the volume. Failure to do so may result in data loss due to
            unexpected conflict resolution during the recovery of the replicated folders.
                2. To resume the replication for this volume, use the WMI method ResumeReplication of the DfsrVolumeConfig class.
            For example, from an elevated command prompt, type the following command:
                wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig where volumeGuid="*************" call ResumeReplication

    Also the gpreport I run on my machine gives this as the error for not being able to update group policy.

    Group Policy Infrastructure Failed 2/12/2013 8:10:33 PM
    Group Policy Infrastructure failed due to the error listed below.

    The RPC server is unavailable.

    Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available.

    Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between 2/12/2013 8:05:16 PM and 2/12/2013 8:10:33 PM.

     
  • Wednesday, February 13, 2013 5:10 PM
     
     
    Sign In to Vote
    0

    Well this is frustrating.

    I ran a dcdiag to test the DNS. Everything passes except for delegation.

    TEST: Delegations (Del)
    Delegation information for the zone: ********.
    Delegated domain name: _msdcs.*******.
    Error: DNS server: server.*******. IP:<Unavailable> [Missing glue A record]
    [Error details: 9714 (Type: Win32 - Description: DNS name does not exist.)]

    Ok so it appears the server used to be called just server and they renamed it to the current name. DC1 for sake of whats posted up there. How do i get rid of this error? I went through the meta data cleanup options to verify server no longer exists and it cannot be found anywhere. Not sure why this delegations record exists.

    Summary of DNS test results:

                                                        Auth Basc Forw   Del    Dyn  RReg Ext
                _________________________________________________________________
                Domain: *****
                   DC1                               PASS PASS PASS FAIL PASS PASS n/a

             ......................... ***** failed test DNS

     
  • Wednesday, February 13, 2013 8:52 PM
     
     
    Sign In to Vote
    0

    I was able to fix all of the errors in the DCdiag.exe tests. The DC has now passed all of the tests. Still having some RPC issue though and the error messages are far less than helpful.

    Currently capturing some network traffic on both the server and the client to see where the RPC issue lies.

    Here is a screenshot of the failures I get when i try to force a group policy update.

    http://www.anony.ws/i6R

    Looks like I have finally singled in the actual cause of the slow login, everything else I fixed was good to fix as well though. Just need to figure out this RPC issue. Going to do a complete shutdown at the end of the night and restart after a few minutes to see if the RPC services come back and are functional.

    DCdiag.exe says RPC is fine though so not sure where the disconnect is yet.

    Anyone have any ideas?

     
  • Wednesday, February 13, 2013 9:58 PM
     
     
    Sign In to Vote
    0

    Now that this is a group policy issue could a moderator please move this to the group policy forum for me.

    Thank you.

     
  • Thursday, February 14, 2013 9:02 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

    At first it is an AD related issue which seems resolved. Thus it is recommended to post a new thread to group policy forum instead of moving this one. You could provide the link of this thread in your new post as reference.

    TechNet Subscriber Support in forum |If you have any feedback on our support, please contact tnmff@microsoft.com.

     
  • Thursday, February 14, 2013 6:17 PM
     
     
    Sign In to Vote
    0

    Does anyone have any ideas on this one RPC server is still unavailable, cannot figure out how to resolve this. RPC test shows good when using the dcdiag tool.

    I have used port query on my own system to query that the port used is available and it is.

     
  • Friday, February 15, 2013 12:24 AM
     
     Answered
    Sign In to Vote
    0

    Hi eliminat0r1985,

    This is a tough problem, I've experienced similar issues in our multi-GEO Server 2003 AD-DS deployment. You are taking the correct steps to resolve the issue by using DC Diag, reviewing DNS, running GPRESULT, and scanning network traffic. Here are my thoughts:

    1) Restart the DHCP Client, DNS Server and then NetLogon on the DC, in that order. This will clear bad-cache from the domain controller, which could allow corrupt DNS entries to cause havoc with DNS. The pivotal advice here is: AD-DS relies on DNS period.

    2) Once you've done #1 (or restarted the DC completely if you can), check the logs for NETLOGON errors. This can indicate that there is still a problem with the DNS Partition, or with the AD-DS database (.dit) itself. One way to resolve DNS corruption: Walk through the _msdcs tree of the namespace and make sure that the DC, GC, and Kerberos entries are there as they should be. Check TechNet Library or build a fresh DC on test hardware to get a valid list.

    3) Anytime I have a dis-graceful shutdown on my servers, I schedule down time to run a CHKDSK or another took like GRC's SpinRite, to check for and repair (or at least re-map) bad sectors.

    4) On the DC run GPUPDATE /FORCE and check for issues and troubleshoot that (at the DC). When that works, try it on domain-joined systems (member servers & client workstations) and check the results. If they fail updating the group policy, then these two things are possible culprits A) Bad DNS Cache; run ipconfig /flush, and confirm the client is pointing to the correct DNS server, and B) The 'joined' workstation/server Secure Channel is no longer synchronized -- once every so often, each domain joined system changes its secure channel password, and if this happened at about the same time as the DC dis-gracefully shut down, then the password could no longer be in synch, and the client system will need to be dis-joined (join a workgroup), the computer object 'reset' in AD, then re-joined to the domain to refresh the secure channel password.

    5) One last thing to think about is firewalls; both on host systems and in the network -- the configurations could be corrupt (or not what you think they are anymore) after a bad shutdown. One way to know for certain if a firewall is blocking your traffic (without compromising security) is to enable logging on all firewalled interfaces, attempting the operation that fails, then reviewing the logs to look for the dropped packets.

    As for your question about battery backup, here is what we are using right now at the branch office I work at:

    1) Two APC UPSes, one 5KVA one 2.2KVA, mains from 'city power' and output to one of each of the redundant power supplies on each of the six servers and the SAN. This way, UPS maintenance can occur while systems run on 'dirty' mains, or if the power goes out, the UPSes pick up the load.

    2) Since the UPSes won't last long, I've installed the free APC client and a serial cable to just one of the servers in the rack (the SAN has its own battery and shut-down automation built-in). The APC client software is running under a service account with "Remote Shutdown", "Run as a Batch Job" and "Run as a Service" rights in the domain. The APC Client software, after 15 minutes on battery, triggers a script that remotely shuts down the other 5 servers, then the host it runs on.

    I'm not sure how much of this might apply to your scenario, but give them a try and post-back detailed results. I'll think some more about the situation and if I come up with anything else I'll post back.

    Good luck!

    'Jonru' MCP